Problem: Most every UNIX/Linux user will use X11, i.e. X-Windows, across a network for GUI-based applications. X11 is noted for its poor security and is a common target for attackers .
OpenSSH provides X11 forwarding, which will automatically encrypt all X11 traffic, thereby reducing some of the security concerns with X. OpenSSH also improves the behind-the-scenes X-Windows authentication by encrypting the authentication process.
Another handy feature of X11 forwarding is that OpenSSH will automatically set the DISPLAY variable for you so that X applications are automatically displayed back to your local system.
There are a couple of SSH configuration options that are required in order for the remote OpenSSH server to enable X11 forwarding. Make sure these options are set in sshd_config :
X11Forwarding yes X11UseLocalhost no
$ ssh -X -l sshuser server.example.com email@example.com's password: ********* Last login: Fri Dec 20 15:45:12 2002 from client.example.com Sun Microsystems Inc. SunOS 5.8 Generic February 2000
Once authentication has successfully taken place, the DISPLAY environment variable should be automatically set on the client, as shown below, to a display number that is higher than normal:
$ echo $DISPLAY localhost:10.0
$ xclock &  7324 $
To help better understand the X11 forwarding feature of OpenSSH, it is helpful to keep in mind that X-Windows uses a "reverse" client/server design. In the example presented here, the X-Windows "server" is located on the SSH "client" whereas the X-Windows "client" is the SSH "server".
Once again, note that the SSH client never had to set the DISPLAY variable manually after it connected to the OpenSSH server. Without OpenSSH, we would have had to do this before running xclock, otherwise we would get " Error: Can't open display " or a similar error message.
Running X11 applications over a public or unsecured network can be dangerous since the X11 connection is not encrypted and therefore sensitive information could potentially be compromised. Additionally, running X11 applications through firewalls usually involves opening up multiple ports which firewall administrators typically do not like to open . To avoid these problems, X11 applications can be tunneled through SSH and onto a Windows computer:
In order for the following to work, an X11 server, such as Cygwin's Xfree86 or Hummingbird's Exceed must be running on the Windows machine. The remote OpenSSH server must also be configured to allow X11 Forwarding “ this can be accomplished by setting the X11Forwarding option in sshd_config to "Yes".
[firstname.lastname@example.org]$ echo $DISPLAY localhost:10.0
[email@example.com]$ xclock &
SECTION I - Obtaining, Compiling and Installing OpenSSH
SECTION II - How to Use OpenSSH Clients for Unix-to-Unix Connectivity
SECTION III - How To Use PuTTY/WinSCP For PC-To-Unix Connectivity
SECTION IV - Using Public Key Authentication
SECTION V - Troubleshooting SSH Connections
SECTION VI - Advanced SSH Topics
Appendix - Sample sshd_config File